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By email only: OrgChgDir@health-ni.gov.uk 

17 September 2021 

Dear Department of Health, 

RE: Future Planning Model - Targeted Stakeholder Consultation 


Thank you for inviting the Information Commissioner’s Office (ICO) to 
respond to the above consultation. 


As you will be aware, the Information Commissioner's role includes the 
regulation of the Data Protection Act 2018 (DPA18), the UK General Data 
Protection Regulation (UK GDPR) and the Freedom of Information Act 
2000. Given our role as a regulator, it would not be appropriate for us to 
respond in detail to the merits of the Future Planning Model set out in 
Annex A. 


However, we acknowledge the importance of an integrated health and 
social care provision in the community and the requirement to share 
personal data in order to deliver this. Ensuring personal data is held and 
shared appropriately is vital in upholding public trust and confidence. 
Consideration should be given to the completion of a Data Protection 
Impact Assessment (DPIA) in relation to the Future Planning Model to 
ensure that all relevant data protection issues have been given due 
consideration, any risks associated with same identified and sufficiently 
mitigated. 


We have provided general comments on the consultation document and 
proposed Future Planning Model for your consideration below. 


Data sharing 

The consultation document references a number of different organisations 
involvement in the proposed integrated care system, including the Public 
Health Agency, Health & Social Care Trusts and local providers. When 
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sharing personal data, it is important organisations give careful 
consideration to the data protection implications of any sharing 
arrangement(s). Organisations should ensure any data shared is done so 
in a lawful and fair manner in accordance with UK data protection law. 
You may wish to consult our new Data Sharing Code of Practice which can 
be found here on our website when considering these matters. 


Data sharing agreements 

Organisations involved in data sharing should consider putting in place a 
data sharing agreement. Data sharing agreements should set out the 
purpose of the data sharing, cover what happens to the data at each 
stage, set standards and help all parties involved in the sharing to be 
clear about their roles and responsibilities. Having a data sharing 
agreement in place helps organisations demonstrate their compliance with 
accountability obligations under the UK GDPR. 


Data sharing agreements should also address any practical problems that 
may arise when sharing personal data. This should ensure that all 
organisations involved clearly understand what personal data they can 
share. This should assist with the prevention of irrelevant or excessive 
information being disclosed. Such agreements will also assist with 
ensuring that organisations have common technical and organisational 
security arrangements in place and address any operational differences 
which may exist with respect to retention or deletion periods. 


Security and data minimisation 

Given the sensitive nature of the personal information likely to be 
collected within a health and social care setting, specific and detailed 
consideration should be given to ensuring appropriate security measures 
are implemented so that personal information is not compromised. The 
completion of a DPIA can assist with identifying any potential risks 
associated with proposed personal data processing. As part of this, the 
Department of Health (DOH) should consider areas such as cyber 
security, the risk of data breaches, the risk of human error, inappropriate 
access to sensitive personal data, staff training and data storage. 


Population level data 

Section 5 of the proposed Future Planning Model refers to “the gathering, 
analysis, sharing and use of population level data along with known 
evidence-based interventions to inform decision making and evaluation”. 
Consideration will need to be given as to whether this population level 
data will be personal data, anonymised data or pseudonymised data. It 
is important to establish this from the outset as it will impact the legal 
requirements placed on such data. You can find more guidance on each of 
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these here on our website, along with our Anonymisation code of practice 
which, although written under the old Data Protection Act 1998, still 
contains useful guidance on the process of anonymisation which remains 
applicable under the current legislation. 


Regional Group and Area Integrated Partnership Board 

Sections 8, 9 and 10 of the Proposed Future Planning Model set out the 
proposals for the establishment of a Regional Group and an Area 
Integrated Partnership Board. Consideration should be given to the 
standing of these bodies from a data protection perspective and whether 
the intention is that they are to be a data controller in their own right, or 
whether they will fall under the controllership of the DOH. The DPIA 
should assist you in establishing this remit. 


Data sharing in an emergency 

If it can be reasonably foreseen that organisations may need to share 
data in emergency or critical situations this should be considered within a 
DPIA. UK data protection law does not prevent the sharing of personal 
data where it is appropriate to do so, and in an emergency organisations 
should share data as necessary and proportionate, taking subsequent 
steps to ensure any action taken is documented in order to comply with 
accountability obligations. 


Article 36(4) requirements 

Section 15.3 of the proposed Future Planning Model makes reference to 
work which will “help to identify if there is any requirement to underpin 
the model with specific legislation”. Article 36(4) of the UK GDPR requires 
government departments and other public sector bodies to consult with 
the ICO on policy proposals for legislative or statutory measures relating 
to the processing of personal data. If a decision is made to proceed with 
specific legislation to underpin the Future Planning Model, DOH will need 
to consider whether such legislative proposals will initiate the requirement 
under Article 36(4) for the DOH to consult with our office on same. The 
DCMS guidance on the consultation process under Article 36(4) is 
available here, alongside the Article 36(4) Enquiry Form which needs to 
be submitted to our office. 


To conclude, while the ICO would not have a view on the suggested 
approach to implementation any process put in place should have 
systems within it to ensure compliance with data protection legislation 
and allow for individuals to exercise their rights. You can find further 
guidance on this within our Guide to the UK GDPR. 
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Our NI regional office would welcome the opportunity to discuss this 
response with you further should you have any queries. 


Yours sincerely, 


Caroline Mooney 
Regional Manager, ICO - Northern Ireland 
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